Scripting for Fun and Passion

Phishing Mail into Gmail Inbox from Income Tax Department

We all receive a lot of Phishing Scam Mails everyday and thanks to the mail spam filters[gmail in my case] we never get to see them as they are directly marked spam by your mail client. However, sometimes they do make it to your inbox and they look very real.

I received a similar phishing email from Income Tax Department today. The email id from which it came from was really authentic and hence I was intrigued about the possibility of it being fake. It quoted a income tax amount which looks reasonable and also had the logo of Indian Income Tax Department.

However, with all the authenticity the mail still looked fake, but just to prove that it indeed was fake, I went about exploring the mail headers informations which gmail nicely provides us. And that is where the bad guy[I would hate to call him a Hacker] made the mistake. Actually he didn’t he just went about the traditional way of email spoofing. The bad guy used an address from the which apparently doesn’t exist. The email id was however the interesting part of it was the VIA field which gmail attaches which gave me the info that the email is send from some free hosting account. A quick look at the email header revealed the following information:

Phishing Mail Header by Gmail

Phishing Mail Header by Gmail

The mail had a link to submit the tax refund. The body of the mail looked like this:


Phishing Mail Body

Phishing Mail Body

I copied the Link Address specified in the mail and opened it in the incognito window[I would suggest people to use the same to safeguard against cookie stealing attacks]. The original site for tax collection looked like this:

Phishing Tax Site

Phishing Tax Site

And on choosing a bank [I choose Axis Corporate Bank for testing, never disclose your original bank name =)] We get a pretty good looking login page which again looks very familiar.

Axis Corporate Bank Phishing Page

Axis Corporate Bank Phishing Page

Interestingly the page works for anything which you type as username and password. So you can type in what ever you want. Also before going to payment Google Chromes does inform you that the site is reported for phishing. Apparently the original domain of this site runs an online shopping site:, which I suspect is also a site aimed at stealing your credit card information and I would want to report that for phishing. [Any idea on how to report sites for phishing].

On the final note I did some research about the ip of the site and found out that it is hosted in US on media temple server and doing a whois revealed the following details about the server.

DomainWhois for Phishing site

DomainWhois for Phishing site

Finally, I did mark the mail as spam in my gmail and will hope that google learns and spams other such mails in future. I would just like to remind everyone to follow anti phishing guidelines while browsing and to double check the domain name as well as other security warning from banks while performing any online transaction.


Wishing everyone a safe and happy browsing experience =) Do leave a comment as I would love to read your feedback =)


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: